AW: Question Update Java Security Updates
Rob Farmer
rfarmer at predatorlabs.net
Sun Mar 13 00:57:14 UTC 2011
On Sat, Mar 12, 2011 at 8:24 AM, Roger Marquis <marquis at roble.com> wrote:
>>> The reason for that is that they haven't been necessary. This cannot be
>>> said for openjdk, not yet at least.
>>>
>>
>> There have been 191 "vulnerabilities" for the lifetime of JDK 1.6,
>> according to Secunia. java/jdk16 is at update 4 out of 24. Unless you
>> are running only trusted local apps with no networking support, that
>> is highly dubious.
>
> Vulnerability is relative to your application of course. The
> "vulnerabilities" you site for JDK have not been relevant to my servers
> or apps or most commonly used apps (other than webstart). That cannot be
> said for the Openjdk.
>
> But equating advisories with vulnerabilities does bring up an important
> point, and I expect religious preferences will continue to take
> precedence over actual user experience.
>
> Roger Marquis
>
If you have info showing that these vulnerabilities are bogus and
don't affect most people, please post it. Sun though the issues were
important enough to patch and the "important point" it raises is that,
for Java, I trust Sun more than you.
If mailing list traffic (here, questions, ports) is any indication,
most people using Java care about the browser plugin. And the patch 4
plugin is vulnerable to a number of issues. That's not an opinion. The
best that can be said is that most exploits will be Windows specific.
This change is almost certainly going to happen, sooner or later.
There's nothing happening with the old ports. If you have issues with
openjdk, it would be in your best interest to raise specific
complaints so they can be fixed, rather than make accusations about
"religious preferences."
--
Rob Farmer
More information about the freebsd-java
mailing list